External risk intelligence

Authentik Identity Provider: Cross-Site Scripting Risk

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-42849

An authentik identity provider vulnerability could allow cross-site scripting (XSS) attacks, potentially impacting organizations by compromising user data and unauthorized access. The issue has been addressed in recent software versions.

5Halo Surface Signal

Cross-site Scripting

Goauthentik Authentik

before 2025.12.52026.2.0 to before 2026.2.3

External exposure likelihood

Halo Surface Signal score for CVE-2026-42849

authentik is an identity provider designed to manage authentication and identity services, which are typically deployed as public-facing gateways or identity portals to support remote access and user authentication.

PCI scan relevance

PCI Relevance for CVE-2026-42849

Yes

CVE-2026-42849 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE is relevant to PCI scans as it involves a cross-site scripting (XSS) vulnerability in the authentik identity provider that could be exploited remotely.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

The authentik identity provider contains a vulnerability within its Simple Flow Executor (SFE) that could allow for cross-site scripting (XSS) attacks. This flaw arises from the implementation of stages designed to support older web browsers. If exploited, an attacker could potentially inject malicious scripts, impacting user sessions and data integrity.

  • Vulnerable authentik SFE component
  • Cross-site scripting flaw
  • Compromised user sessions and data

Attack Path

How an attacker could exploit the issue

The vulnerability allows an attacker to inject malicious scripts into a web application by exploiting the AutosubmitStage within the Simple Flow Executor. This stage, designed for legacy browser compatibility, can be leveraged to execute cross-site scripting (XSS) payloads. The attack path begins with an organization's system being exposed to the internet. An attacker then gains an entry point and triggers the vulnerability through user interaction, resulting in unauthorized access and potential compromise of sensitive data.

  • Public exposure is required.
  • Attacker uses a web browser.
  • Trigger injects malicious scripts.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability exists in authentik, an open-source identity provider, that could allow for cross-site scripting (XSS) attacks. This exploit could impact organizations by compromising user data and potentially leading to unauthorized access. The issue has been addressed in recent versions of the software.

  • Attackers with low skill levels.
  • Requires user interaction.
  • High business risk.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows for cross-site scripting (XSS) within the AutosubmitStage of the SFE. An attacker could exploit this to inject malicious scripts, potentially leading to the compromise of user data or unauthorized actions. Organizations utilizing the affected software should prioritize addressing this security risk to protect their systems and users.

  • Identify all deployed instances of the affected software.
  • Restrict external access to the affected system.
  • Update to a patched version and verify the fix.

Frequently asked questions

What is authentik and what is it used for?

Authentik is an open-source identity provider. It's used to manage user authentication and identity services, often serving as a gateway for remote access and user login.

What is the weakness class for CVE-2026-42849?

CVE-2026-42849 is a Cross-Site Scripting (XSS) vulnerability, classified as CWE-79. This means an attacker can inject malicious scripts into a website or application viewed by others. [cite:catalog]

How can CVE-2026-42849 be triggered?

This vulnerability can be triggered if an organization's system is exposed to the internet and an attacker gains an entry point. The exploit requires user interaction within a web browser. It is not triggered if the system is not exposed externally.

Who should care about this authentik vulnerability?

Organizations running authentik, especially those with internet-facing identity services, should be concerned. The Halo Surface Signal indicates this is very likely to be relevant as identity providers are typically public-facing gateways. [cite:haloSurfaceSignal]

What are the first steps for running authentik?

If you are running the affected versions of authentik, identify all instances. Consider restricting external access to the system as a precautionary measure. The primary action is to update to a patched version, specifically 2025.12.5 or 2026.2.3, and verify the fix.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified